Why Popcorn Time's 'jailbreak-free' iOS hack is a bad idea

Popcorn Time aggregates the world's supply of movies and television shows into a beautifully organized and searchable display. It relies on peer-to-peer distribution using BitTorrent. Unfortunately for all concerned, the supply it taps into comprises almost entirely pirated content.

Popcorn Time aggregates the world's supply of movies and television shows into a beautifully organized and searchable display. It relies on peer-to-peer distribution using BitTorrent. Unfortunately for all concerned, the supply it taps into comprises almost entirely pirated content.

It was well known that nearly all digital (and many digitized) television episodes and movies were available somewhere in the world, but putting a Netflix-like browsing interface on top of it that any ordinary user could access was a success. Popcorn Time quickly garnered millions of users. The main project was shut down over a year ago, but as it was open source, other versions forked from the original code.

One of them launched a beta version of Popcorn Time on April 8 that promises to bring the same experience in the desktop version and under Android to iOS. The problem is, it's a giant hack.

Slipping through security holes

Popcorn-Time.se, among the most popular forks, released iOS Installer for Windows (XP and later) to work around Apple's prohibition on arbitrary app installation. Yes, you read that right: you need a Windows system to install Popcorn Time for iOS, and have to carry out the task over USB as well.

The installer says it's jailbreak free, although there's a jailbreak option for Popcorn Time as well. Based on other reports, it looks like Popcorn Time is relying on Apple's iOS Developer Enteprise Program. This $299-per-year option allow companies to develop in-house apps that Apple never approves and can only be distributed to employees, by the program's rules.

The theoretical Masque Attack, discussed and named last November by security researchers, relied on the same developer program. Masque Attack proposed that malware could be distributed by a malicious party who could sign up for an enterprise developer account and then push out apps that would require users to accept and install an associated profile.

Wired, which communicated with the developers, reports they say they're relying on revoked and expired certificates.

So let's review what you have to do to install Popcorn Time for iOS:

Trust that anonymous developers, who are facilitating the access to mostly pirated content, are acting in your best interests, and avoid including malware or adware. (Some Popcorn Time forks also offer paid VPN service.)

Trust those developers to maintain a high level of project security to prevent malicious third parties from inserting malware.

Download and install a Windows program.

Connect an iOS device to a Windows system via USB and run the Windows software.

Trust a installation profile from developers who are subverting Apple's system.

Run an app created by those developers.

That's a lot of vectors for trouble and a lot of trust to invest. You're never going to get me, for instance, to install random Windows software that wasn't signed through Microsoft's system. That system, like Apple's, is not at all foolproof, but it provides a mechanism to revoke a malicious app's ability to install. (Also, I'd have to have a working Windows virtual machine or computer, too.)

(The OS X apps from various forks are also unsigned, which is perfectly legitimate--not all Mac developers care to pay Apple's fee--but they have the same problem as unsigned Windows apps. However, the Popcorntime.io team recommends turning off Gatekeeper entirely to install its version, which is terrible, terrible advice, however well intentioned.)

Kernels panic

The issue of whether it's by any means reasonable to install Popcorn Time for iOS is separate from whether the project is legal. I am not a lawyer, and Macworld does not offer legal advice. There are a variety of court decisions in different countries that could construe pointing people to content that is available without the copyright holder's permission is either within or outside the law.

And, as with all torrenting, not all content available is posted without permission. All sorts of creators release music and video that's licensed and distributed perfectly legally. Popcorn Time doesn't help sort through that morass, and it's true that the vast majority of desirable media falls outside legitimate licensing.

However, that's not really the point here. I've long thought that Apple should allow sideloading--the installation of software outside of an authorized store--by having a "do you know what you're doing" option in iOS, just as Gatekeeper offers different levels of trust in OS X. Sideloading shifts the burden of trust and consequence onto the user, and would allow the use of legal apps that don't meet Apple's stringent rules for distribution.

Popcorn Time for iOS tries to offer a version of sideloading, but there are far too many pieces of its process to worry about. Further, it's not likely to be reliably available. Apple controls the enterprise program centrally through accounts and digital certificates, both of which it can revoke. The Popcorn Time installer recommends putting your device into Airplane Mode during installation, ostensibly to avoid a certificate check. However, Apple could easily add additional checks or validations, as I suggested back in November that they might need to if abuse of its enterprise program expanded.

It's unimaginable that Apple would ever allow something like Popcorn Time in the App Store. It's also inadvisable by any standard to install software like it through the method the developers provide.